Community Update — October 19, 2018

Security updates and experimentation with Staking Models

This week we cover important security improvements to existing dApps and explore Staking Models.

Tabby Rewards

Tabby Rewards continues to be a main focus for our team. We recently revamped our entire user interface as the design we had simply didn’t work. Our new design has been tested with a dedicated focus group over the past few weeks and there have been some positive improvements. We will continue iterating this new design until we get it right.

Changes to Metamask

As some of you may be aware, Metamask recently announced changes to their browser plugin to mitigate a serious privacy vulnerability. All third party dApps that communicate with Metamask are now required to request access to user accounts. This in turn will ask the user to approve or deny the request. Previously, Metamask would automatically inject an Ethereum provider and Web3 instance for the webpage to use, revealing a whole class of personally-identifiable information. There were serious privacy issues with the old way of communication between dApps as malicious websites could use the injected objects to view a user’s active Ethereum address. Our team is, of course, in favor of the updated security measures. These changes are necessary to keep users information (i.e., balance, transaction history, etc.) private.

We have integrated the new permission request with our multiple-wallet select-and-unlock flow in the underlying BlockCAT and Tabby architecture, so it will be immediately available across all our products and all future smart contracts.

Other dApp browsers such as Status, Mist, and imToken are following suit. Since our contracts interact with some of these dApps, we have to incorporate the changes into our smart contracts. In addition, this work will be added to our library for future smart contracts. We are working hard on having the changes implemented prior to the Metamask deadline of November 2, 2018. You can read more about the update to Metamask and how it will affect users in their Medium Article.

Further Experimentation on Staking

Although our primary focus is on Tabby Rewards and keeping up to date with recent security changes, we have had one of our Junior Developers working on new project. We are not quite ready to share what the project is, however it has been a great testbed for experimenting with and getting a better understanding of the implications of staking models.

Like all other smart contract development, there are some complex questions related to incentives, extensibility, usability and security which have to be answered when developing an effective staking model — and different implementation models to be considered for a given application area. Security is also a major concern and the developer must be able to identify any vulnerabilities in a given staking model (i.e., implications in voting systems, vouching systems and risk management) — security here isn’t just the story of known vulnerabilities, code review and validation process, but also the need to understand the incentives and game theoretic implications at varying scales.

As we’ve communicated numerous times, it is absolutely essential to us that the end product (in this case, the concept of a staking model) is usable and understandable to regular users. If we’re building “smart contracts for everyone,” we absolutely cannot require a deep understanding of game theory, cryptography or even web3 and Ethereum characteristics. Getting these details right remains a core focus.